shopping cart: cookies or sessions

jomns

Hi there,

I would like to know what the best method is to implement a shopping cart, using cookies or sessions.

I read in this forum that sessions expire when then browser is closed, but this is not true. If you're not logged out, you can still enter the page by reopening it again. If you're logged out you can still enter the page by clicking on the back button.

Does anyone has some comments?

Thanks

Merve

Sessions should expire when the browser is closed. The browser might be minimized to the taskbar, stopping the sessions from being deleted.

I would go with a session. They are much easier to use when no signing up or becoming a member is required. If people can also become members of that site, then use cookies for them, but keep sessions for those who do not become members.

jomns

Thanks for you comments.

There is something that I cannot understand: the session is not destroy or expired when a logged in user close the browser (not minimized). If this user opens the browser and type the link again, he is still logged in.

Some comments please?

Thanks,

Jonathan

Drakla

If the session is using a session cookie with a lifetime of zero, then yes, the session id will be lost when the browser is closed. But if you want a session you can return to then you can set the cookie lifetime before starting the session to give it a lifetime in seconds

session_set_cookie_params(1200); session_start();

Would keep it valid for 20 minutes, and a further 20 minutes each time the page was accessed if keeping the same parameters.

If the session ID is passed in the url it's a different kettle of beans, clearly. The server only kills of the session files after they're older than session.gc_maxlifetime seconds (set in php.ini) and the garbage collection kicks in, so if you did use the url with the session id in it and come back to the page before that time had passed the data would still be there.

Ta-dahhh

jomns

What do you mean by passing the session to the url?
You mean by the get method. Because i only use the post method for all my files.

Is it also possible to use it like this: In order to expire sessions after browser closure:

set_session_cookie_params(0);
session_start();

thanks,

Jonathan

laserlight

Sessions should expire when the browser is closed.

Actually, the session cookie (if one is used) expires, but the session itself (being stored serverside) doesnt expire until the time limit is reached.

jomns

Thanks for you reply.

I still have one question about sessions:
How do I solve the problem of destroying a session after the browser is closed. I want to prevent people logging on a share computer and leave without loggin out, making it possible for others to access private sites.

I use lycos as a test webserver!

Thanks again,

Jonathan

Merve

I believe you just answered your question in your previous post.

jomns

If you mean my post:

sessions and cookies after closing a window without logging out :

<body onUnload="window.location.href="session_destroy.php">
This won't work because, if you click a link which redirects to another the page will execute the unload call. While it should be only meant to destroy the sessions when the page is closed.

And the second option:
header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: no-cache, must-revalidate" );
header( "Pragma: no-cache" );

Believe me I have tried this, but I still have the same problems!
- If you close the browser without loggin out, it is possible to view the private page.
- If you log out , but click the back button, it is still possible to view the restricted page.

Is there out, some one who have had the same, problems?

Thanks